In a Public Land Mobile Network (PLMN) conforming to the GSM architecture, information sent over dedicated channels is encrypted between the mobile station (MS, e.g. a user's device) and the base station. This encryption is performed on a radio frame level (i.e. physical layer) using keys that have been generated by the Subscriber Identity Module (SIM) during the initial authentication when the MS attaches to the GSM network. Once encryption is established, all information is encrypted in the same way. There is no encryption on common channels such as broadcast, paging or random access channels.
Exemplary signalling required to set up encryption is shown in FIG. 1. To set up a dedicated channel, the MS performs the Radio Resource (RR) connection establishment procedure (1.1). This can be triggered for several reasons, but is always initiated by the MS:                The MS receives a page for an incoming SMS or voice call.        The MS initiates an outgoing SMS or voice call.        The MS wants to perform some signalling (such as location area updates).        
The procedure is initiated by the MS sending a “channel request” message on a common channel. The PLMN responds with an “immediate assignment” message, specifying a dedicated channel to use for further signalling. It is this channel which is used to set up encryption.
The MS sends information to the GSM network about its encryption capabilities as part of the MS Classmark 1-3 information elements (1.2). This includes the MS's support for the encryption algorithms in GSM, of which A5/0 to A5/3 are used for voice traffic. A5/0 is null encryption (i.e. the call is sent as plaintext), and A5/1 and A5/2 have been shown to be breakable in practical attacks unless additional measures such as plaintext randomisation are performed. The transfer of these encryption capabilities is itself not encrypted. This information is used by the PLMN to determine which algorithm should be used; normally the strongest supported by both the base station and the MS (1.3).
The PLMN enables encryption by sending a “CIPHERING MODE COMMAND” to the MS indicating “ciphered” and the encryption to be used (1.4). The MS responds with a “CIPHERING MODE COMPLETE” command sent using the encryption (1.5), and all further communication is encrypted (1.6) until either the MS leaves dedicated mode (i.e. no longer requires the dedicated channel), or the encryption is switched off or modified by the PLMN using another “CIPHERING MODE COMMAND” or a “HANDOVER COMMAND”. Encryption on a dedicated channel can only be switched off by a message that is itself encrypted.
In a GSM network, the PLMN can authenticate the MS and SIM (e.g. to confirm that the SIM is allowed to use the PLMN). However, in contrast to third and fourth generation architectures, there is no facility in the GSM standards for the MS to authenticate the PLMN (i.e. to confirm which PLMN it is attached to, or to confirm the identity of a base station in that PLMN). This allows attackers to potentially intercept traffic from mobile stations using a false base station.
The attacker causes the intended victim to connect to a false base station, rather than an authentic base station, by having the false base station broadcast at high power, or be set up close to the intended target, such that it provides a stronger signal than an authentic base station. [The victim's MS will only connect to the false base station when it is first turned on, or when it is coming out of “idle mode”, i.e. it does not currently have a dedicated channel, as handovers are handled by the network in such a way that the MS would not connect to a false base station.] Once the MS is connected to the false base station, the attacker can manipulate the signalling during the RR establishment procedure in order to use weak encryption algorithms or no encryption at all. This allows information sent over the connection, including calls and SMS messages, to be recorded and deciphered, or simply recorded if no encryption was used.
There are two attack scenarios considered herein, which differ primarily in how information intercepted by the false base station is transmitted afterwards.
In a “fake network” (FN) attack, the attacker sets up a “backhaul” through which outgoing calls and SMS messages can be routed. This could, for example, be a voice over Internet Protocol (VoIP) service and an internet connection. Caller ID spoofing and SMS sender spoofing are used to ensure that the recipient of the voice call or SMS sees it as coming from the victim. As the victim's MS is not connected to the authentic PLMN, incoming calls and SMSs sent to his mobile subscriber digital network-number (MSISDN) cannot be routed to the MS, though the attacker can send his own SMSs and incoming calls to the MS. This type of attack has been demonstrated to work against GSM networks, e.g. at Defcon 2010, “Practical Cellphone Spying”—Chris Paget.
To identify the intended victim, the IMSI of that victim's MS should be known to the attacker, to allow the fake base station to reject connection attempts by other MSs, either by not providing service or by signalling that the base station is not available.
In a “man-in-the-middle” (MITM) attack, the attacker sets up a false base station which is connected to a mobile station controlled by the attacker. The attacker's MS is configured to connect to an authentic base station, and relays all traffic associated with the victim's MS between the false base station and the authentic base station. When the victim's MS sends information to the network about its encryption capabilities, the attacker modifies this information so that it appears that the MS only supports weak or null encryption, thus ensuring that future traffic is sent in a form that can be intercepted and deciphered. Such a device is described in the European patent EP 1051053.
For both attack cases, the attack will only function on a network in which the MS cannot authenticate the base station, such as a GSM network. In the case of networks supporting third (e.g. 3G/UMTS) and fourth generation technologies (4G/LTE), GSM may also be supported in order to ensure backwards compatibility with legacy GSM terminals. For terminals supporting GSM as well as third and/or fourth generation technologies, an attacker may jam all but the GSM signals to allow one of the above attacks to succeed.
A more detailed description will now be given of each attack.
A “fake network” attack proceeds as follows, with reference to FIG. 2:                The attacker sets up a false base station with some communication “backhaul” that will allow voice calls and SMS messages sent through the base station to be completed (however, since the MS is not registered on its own network, incoming voice calls cannot be directed to it and so will fail). This base station is set up close to the victim and/or transmitting with high power to cause terminals to connect to it as it provides the strongest signal (2.1).        The victim's terminal either attaches to the false base station on power up, or connects to it when coming out of idle mode as it offers the best radio conditions. Other terminals in the area may be given a “registration failed” message by the false base station, causing them to connect to the next best signal (usually the real base station), or allowed to connect, but not able to route calls or other signalling. Alternatively, the false basestation may relay calls from the other terminals, but choose not to record them. To perform this, the network, and ideally the IMSI (International Mobile Subscriber Identifier) of the target MS should be known. Knowing the network allows the false base station to broadcast a signal that the MS will connect to, and knowing the IMSI allows it to filter out other connections, and only monitor the communications from the target MS.        The victim initiates, for example, a voice call. Following the RR establishment procedure, the false base station either omits to enable encryption, or else enables A5/0 (null) encryption (2.4). The transmissions by the MS (2.5) are recorded by the false base station (2.6), and sent on through the “backhaul” (2.7). The victim may or may not have a warning symbol displayed on the terminal to state that there is no encryption, depending on the terminal implementation.        
A “Man in the Middle” attack proceeds as follows, with reference to FIG. 3:                The attacker sets up a false base station that uses a second radio link, by using a modified MS or similar, to connect to the victim's PLMN masquerading as the victim's MS. As in the previous case, this base station is set up close to the victim and/or transmitting at high power, to ensure that the victim's MS connects to it. The modified MS is configured to ignore the false base station, or vice versa, to ensure that it can connect to the real PLMN. In this way, the attacker can interpose itself between the network and the victim's MS to act as a man-in-the-middle (3.1).        The victim's terminal either attaches to the false base station on power up, or connects to it when coming out of idle mode as it offers the best radio conditions. Other terminals in the area may be given a “registration failed” message by the false base station, causing them to connect to the next best signal (usually the real base station), or allowed to connect, but not able to route calls or other signalling. Alternatively, the false basestation may relay calls from the other terminals, but choose not to record them. To perform this, the network, and ideally the IMSI (International Mobile Subscriber Identifier) of the target MS must be known. Knowing the network allows the false base station to broadcast a signal that the MS will connect to, and knowing the IMSI allows it to filter out other connections, and only monitor the communications from the target MS.        The victim initiates, for example, a voice call. The RR establishment procedure happens as normal, and is routed via the fake base station (3.2). When the victim's MS is negotiating the encryption (3.3), the attacker modifies the information sent to make it appear that the victim's MS supports only weak or null encryption (3.4). The PLMN therefore concludes that the best available encryption is this weak or null encryption (3.5), and sends a CIPHERING MODE COMMAND indicating that this is the encryption to be used (3.6). The victim's MS now transmits using this weak or null encryption (3.8), allowing the fake base station to record the communications to and from the MS (3.9), and act as a relay between the MS and the PLMN (3.10) so that the victim does not experience anything different to normal. The victim may or may not have a warning symbol displayed on the terminal to state that there is no encryption, depending on the terminal implementation.        
The only known solutions to these attacks within the context of a GSM architecture involve making changes to the hardware or firmware layers of the terminals, e.g. to change the security protocol to include authentication of the network, or to introduce behaviour forbidding communications (except for the establishment of connections and encryption) in a network that uses no or weak encryption. The drawback to these solutions is that they only work for new GSM terminals, or require changes to firmware on older terminals, which is often closed source and the companies controlling the firmware may be reluctant to provide updates for older models.